Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[SecurityBundle] Revert adding _stateless attribute to the request when firewall is stateless and the attribute is not already set#58017

Merged
nicolas-grekas merged 1 commit into
symfony:6.4from
MatTheCat:ticket_50715
Aug 16, 2024
Merged

Conversation

@MatTheCat
Copy link
Copy Markdown
Contributor

@MatTheCat MatTheCat commented Aug 15, 2024
edited
Loading

Q A
Branch? 6.4
Bug fix? yes
New feature? no
Deprecations? no
Issues Fix #50715
License MIT

#40372 was about routes matching both stateful and stateless firewalls: you couldn’t easily configure them as stateless under a stateless firewall only.

#48044 fixed it by linking these two attributes: a stateless firewall then implied a stateless request. While it can sound logical, this impacted many projects using the session while authenticating users in a stateless fashion.

At last, #49997 allowed to override this behavior by explicitly configuring routes as not stateless. This kind of proved that #48044 was a mistake: you cannot tell a request must be stateless only because it matches a stateless firewall.

As such, this PR reverts #48044 (and consequently #49997) so that configuring routes as stateless is the developers responsibility alone. It also reopens #40372, but I think this issue should be fixed in an opt-in way (with a new firewall.stateless.with_routes boolean configuration in the SecurityBundle e.g.).

@MatTheCat MatTheCat requested a review from chalasr as a code owner August 15, 2024 17:01
@carsonbot carsonbot added this to the 7.2 milestone Aug 15, 2024
@nicolas-grekas
Copy link
Copy Markdown
Member

nicolas-grekas commented Aug 16, 2024

I'd go with a bugfix on my side. The side-effect of reverting this on 6.4 would be that requests won't be marked as stateless anymore for some, and that should be fine since this is just adding a safeguard, isn't it?

@chalasr
Copy link
Copy Markdown
Member

chalasr commented Aug 16, 2024

I agree with reverting this on 6.4.
About re-introducing this but opt-in, after all I don't think we need much more than what we have already with the session usage panel in the profiler. Maybe some kind of more visible warning could be added there or in the toolbar when the session is used under a stateless firewall.

@chalasr chalasr modified the milestones: 7.2, 6.4 Aug 16, 2024
@MatTheCat
[SecurityBundle] Revert adding _stateless attribute to the request …
47baed9 
…when firewall is stateless and the attribute is not already set
@MatTheCat
Copy link
Copy Markdown
Contributor Author

MatTheCat commented Aug 16, 2024
edited
Loading

Rebased on 6.4 and updated the description accordingly.

@nicolas-grekas yes the only impact is that you’ll no longer be warned about session usage from a route configured as stateless under a stateless firewall.

@chalasr not sure about what you’re proposing, but I guess that would be another PR anyway!

@nicolas-grekas nicolas-grekas changed the base branch from 7.2 to 6.4 August 16, 2024 09:44
@nicolas-grekas
Copy link
Copy Markdown
Member

nicolas-grekas commented Aug 16, 2024

Thank you @MatTheCat.

@nicolas-grekas nicolas-grekas merged commit 643fcae into symfony:6.4 Aug 16, 2024
This was referenced Aug 16, 2024
Closed
Merged
@MatTheCat MatTheCat deleted the ticket_50715 branch August 16, 2024 09:46
@VincentLanglet VincentLanglet mentioned this pull request Aug 16, 2024
Closed
@MatTheCat MatTheCat mentioned this pull request Aug 16, 2024
Merged
javiereguiluz added a commit to symfony/symfony-docs that referenced this pull request Aug 28, 2024
@javiereguiluz
minor #20120 [Security] Remove note about stateless firewalls marking…
5d5a301 
… routes as stateless (MatTheCat)

This PR was merged into the 6.4 branch.

Discussion
----------

[Security] Remove note about stateless firewalls marking routes as stateless

Following symfony/symfony#58017

Commits
-------

768ef5a [Security] Remove note about stateless firewalls marking routes as stateless
This was referenced Aug 30, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chalasr chalasr chalasr approved these changes

Assignees

No one assigned

Labels

Feature SecurityBundle Status: Reviewed

Projects

None yet

Milestone

6.4

Development

Successfully merging this pull request may close these issues.

Automagically flagging requests as stateless breaks valid session access

4 participants

@MatTheCat @nicolas-grekas @chalasr @carsonbot